Bug 2148841
Summary: | [RHEL9.2] format failed when enable fips | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | guazhang <guazhang> | |
Component: | cryptsetup | Assignee: | Daniel Zaťovič <dzatovic> | |
Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 9.2 | CC: | agk, cllang, dbelyavs, hkario, jbrassow, okozina, omoris, prajnoha | |
Target Milestone: | rc | Keywords: | Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | cryptsetup-2.6.0-2.el9 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2151576 2151584 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-09 08:23:06 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2151576, 2151584 |
Description
guazhang@redhat.com
2022-11-28 06:17:46 UTC
Please, could you provide me with output of "openssl help" command run on the test machine? [root@intel-chiefriver-02 cryptsetup]# openssl help help: Standard commands asn1parse ca ciphers cmp cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr fipsinstall gendsa genpkey genrsa help info kdf list mac nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 Message Digest commands (see the `dgst' command for more details) blake2b512 blake2s256 md2 md4 md5 rmd160 sha1 sha224 sha256 sha3-224 sha3-256 sha3-384 sha3-512 sha384 sha512 sha512-224 sha512-256 shake128 shake256 sm3 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed seed-cbc seed-cfb seed-ecb seed-ofb zlib [root@intel-chiefriver-02 cryptsetup]# [root@intel-chiefriver-02 cryptsetup]# It's possible to create the volume in FIPS mode by specifying the PKKDF2 iteration count explicitly, like so: cryptsetup luksFormat --pbkdf-force-iterations 1000000 /dev/loop0 -q --debug Turning off the benchmark is not solution. We definitely do not want users to provide pbkdf parameters manually when adding keyslots. It has to be fixed. Yes, it's a bug, it needs to be fixed, it's just a workaround to allow further testing with FDE in FIPS mode. *** Bug 2152509 has been marked as a duplicate of this bug. *** [root@storageqe-104 ~]# fips-mode-setup --check FIPS mode is enabled. [root@storageqe-104 ~]# echo 'redhat redhat'|cryptsetup luksFormat /dev/loop0 test pass with the fixed package. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (cryptsetup bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2534 |